{{admon/warning | In construction | This page is being moved into QA test cases [https://fedoraproject.org/wiki/Category:Certificate_Trust_Test_Cases available here]. This is preparation for the [[Test_Day:2013-03-28_Shared_System_Certificates|Test day of this feature]]}}

+

Instructions for testing the [[Features/SharedSystemCertificates]] feature of Fedora 19.

Instructions for testing the [[Features/SharedSystemCertificates]] feature of Fedora 19.

Line 5:

Line 8:

==Preparation==

==Preparation==

−

Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page. An alternative to creating a fresh profile, quit Firefox and run

+

Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page.

+

{{admon/warning | Dangerous. Not possible to undo! | This command will delete all personal keys and passwords that are stored in Firefox. Only use this command on a test user account! }}

Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using

+

sudo bash

+

+

If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account.

+

myself ALL=(ALL) ALL

+

+

==Learn how to clear the Firefox cache==

+

Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.

+

+

To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.

<span style="background-color:lightblue;">{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}</span>

Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol

Test F:

Test F:

java testbz443

java testbz443

−

many error messages

+

Probably: connection worked

+

Ideally (later) should be: error messages

+

+

==Undo the distrust of a systemwide CA==

+

We remove the distrust:

+

rm -f /etc/pki/ca-trust/source/testing-default-distrust.p11-kit

+

update-ca-trust

+

+

Now you should repeat (at least) the Firefox test and get the results as described in section "Test that a regular web site is trusted".

+

+

=Verify editing CA trust in Firefox still works as expected=

+

Firefox allows to edit and override the default trust of the CAs included with Firefox. The new Fedora feature replaces the component that contains the Firefox default trust (same default contents, different technology). We must make sure that the old functionality still works.

Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page.

Dangerous. Not possible to undo! This command will delete all personal keys and passwords that are stored in Firefox. Only use this command on a test user account!

Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.

To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.

In our earlier tests, we have added (1) to the systemwide configuration.

The server at test9431.kuix.de:9431 uses a certificate that was issued by (3).

A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at test9430.kuix.de:9430, which uses a certificate issued by (2).

Firefox allows to edit and override the default trust of the CAs included with Firefox. The new Fedora feature replaces the component that contains the Firefox default trust (same default contents, different technology). We must make sure that the old functionality still works.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.